Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Credit Card Scrapers Continue to Target Magento

Researchers said last week they came across a malicious function that was snuck into a module in Magento in order to steal credit card information.

Attackers continue to take aim at the e-commerce platform Magento. Researchers said last week they came across a malicious function snuck into one of the platform’s modules in order to steal credit card information.

Code for the function was injected into a .php file for SF9 Realex, a module that helps sites store customer credit card data for the one-click checkout functionality commonly used by repeat customers. The module interacts with the Realex RealAuth Remote and Redirect systems, “very popular solutions in the Magento community,” according to Bruno Zanelato, a researcher with the firm Sucuri, who found the malicious function.

The function, sendCCNumber(), reroutes credit card information entered by a customer from Magento to an attacker’s email address, hidden inside a variable later in the code. The data, encoded in JSON, arrives in the attacker’s inbox without the victim being any the wiser.

According to researchers, the attacker uses binlist.net, a public web service for searching issuer identification numbers (IIN), to help identify which bank each card is associated with.

Zanelato said Friday that attackers are going greater lengths to target credit card data, especially in e-commerce platforms like Magento.

“Magento credit card stealers are indeed on the rise,” Zanelato wrote Friday, “While the information here is specific to Magento, realize that this can affect any platform that is used for ecommerce. As the industry grows, so will the specific attacks targeting it.”

Zanelato is quick to point out that there wasn’t a vulnerability in Magento that enabled the theft of credit card data. Instead he claims an attacker exploited a different, unnamed vulnerability in the website where the e-commerce platform is hosted. From there the attacker was able to inject script and takeover SF9 Realex.

It’s the latest in a line of credit card stealers Sucuri researchers have observed taking advantage of Magento, however.

Last summer Cesar Anjos, a researcher with the firm looked at one stealer that was loaded from another source. The stealer essentially performed a man-in-the-middle attack between the user and the checkout page after credit card information was entered. Last October, Ben Martin, a different researcher with the firm, discovered attackers scraping credit card numbers and exfiltrating them in obscure, sometimes publicly viewable image files.

Researchers with RiskIQ monitored attacks similar to ones described by Sucuri last year. The firm said the attacks it had been monitoring originated from a single hacking group targeting e-commerce platforms such as Powerfront CMS and OpenCart with a web-based keylogger in March 2016.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.